When I press on some message to forward it, it shows me Random usernames of contacts I don’t know. And it even shows some Mobile Numbers I don’t know. For example, one number starts with +964 that’s Iraq. I’m from Europe tho. These contacts and numbers are from all over the place.

Edit: This only happens on Signal Desktop. If I try to forward a message on Android it only shows my Contacts. And none of these unkown ones.

0 points
*

Huge if true! You could conceivably submit your phone to a Cybersecurity company and share in any reward.

Help us with:

  • Your OS Version
  • OS settings that are possibly related
  • How you obtained Signal
  • Signal version
  • Video proof
  • Steps to reproduce

Who knows how to compute a hash for an installed mobile phone app? We need to compare it with legit.

permalink
report
reply
0 points

https://imgur.com/a/a6CQSpA

The video proof. It also shows the OS and Steps to reproduce. How I obtained Signal: Flathub Signal Version: 6.38.0 OS Settings: Nothing relevant.

permalink
report
parent
reply
0 points
*

I advise you stop using Signal Desktop immediately, they keep the database key in plaintext. Exposed over 5 years ago and still not fixed. Frankly I find this pretty pathetic. Making this safer could be as simple as encrypting such files with something like age and perhaps regenerate the keys on a frequent basis (yes I know full disk encryption is somehow a viable solution against unwanted physical access. But instead, they’d rather focus on security by network effect by adding shiny UX features instead of fixing infrastructural stuff, like improving trust by decentralization, not requiring phone numbers to join, or adding support for app pasphrase (which is available in case of Molly, along with regular wiping of RAM data which makes things like cold boot or memory corruption attacks harder)

permalink
report
parent
reply
0 points

There is nothing more that I hate then typing on my Phone. I can’t life without Signal Desktop.

permalink
report
parent
reply
0 points

Why did someone see that I joined Signal? People who already know your number and already have you in their contacts see that they can contact you on Signal. Nothing is sent to them by your Signal app or the Signal service. They just see a number they know is registered. If someone knows how to send you an insecure SMS, we want them to see that they can send you a Signal message instead.

Why did I see that my contact joined Signal? You are notified when someone that is stored in your contact list is a new Signal user. If you can send an insecure SMS to a contact, we want you to know you can send a Signal message instead.

I hate this.

permalink
report
reply
0 points

So Signal does not protect against those that fill their contacts with every existing number?

But also, this does not explain why is it only happening in the desktop app for OP

permalink
report
parent
reply
0 points

Protect against what? People knowing you have Signal? Excuse me if it’s obvious to everyone else, but I’m struggling to understand the issue here.

permalink
report
parent
reply
0 points

It confirms that your number is valid and in use.

permalink
report
parent
reply
0 points

I just counted. Signal leaked 56 random people to me.

permalink
report
reply
0 points
*

For all of our safety, consider submitting a bugreport.

permalink
report
reply
0 points

Thanks for the Link. I submitted a report.

permalink
report
parent
reply
0 points

link to report so we can track? thanks!

permalink
report
parent
reply
0 points

I don’t think it’s the same user, but here’s a report on GitHub with same repro

permalink
report
parent
reply
0 points

I just followed his link and submitted my report. Don’t have any link.

permalink
report
parent
reply
0 points

Has anyone else been able to reproduce this? I just tried and was not able to.

OP, is it possible these people were in group chats you were part of?

permalink
report
reply
0 points

I still don’t see any bug report anyone can follow up on… I cannot trust OP’s experience until that’s linked here.

permalink
report
parent
reply
0 points

The bug report forum from Signal doesn’t give you any link.

permalink
report
parent
reply
0 points

No, they are not. I’m in two groups. None of them are in the groups. I only use Signal for Real life friends from my Country. I never joined any random group. These people are from all over the world.

permalink
report
parent
reply
0 points

Interesting. Are there any other accounts on your phone that provide contacts? Maybe social media or other chat platforms? On Android you can see accounts in Settings > Passwords & Accounts (or somewhere similar; it varies a little between brands). You can also check inside your Contacts app by expanding the sidebar (again, varies by brand).

Just a thought. I don’t have any other contact providers on my phone so I can’t test it myself.

Please keep us posted if you get any official response or learn anything new!

permalink
report
parent
reply
0 points

Nope. And I maybe had to add (did it now) that this only appears to be a problem with Signal Desktop. My signal app on android doesn’t even show other contacts from strangers. I will update this if I get a response, of course.

permalink
report
parent
reply
0 points

Group chats very likely. There are often sync issues from mobile, so these may just be old spam or group chat numbers.

permalink
report
parent
reply

Privacy

!privacy@lemmy.ml

Create post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

Community stats

  • 4.4K

    Monthly active users

  • 1.7K

    Posts

  • 24K

    Comments